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DETAILED ACTION 

1. Applicant's amendment filed on December 16, 2005 has been entered. Claims 
1-8, 10-12, 14-20 are pending. Claims 9 and 13 are cancelled by the applicant. Claims 
1, 6, 7, 8, 10, 11, 17- 20 are also previously amended by the applicant and claim 7 is 
currently amended by the applicant. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1, 6-8, 10-12, 14-19 and 20 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Martherus et al (US Pub No. 2002/0112155) and in view of Guski et 
al (US Patent No. 5,592,553). 

As per claim 1 , Martherus teaches: 
authentication authority means to serve as a Web services powerhouse to authenticate 
user identity [Fig. 1 component 34 paragraph 0083 lines 3-4], 
gateway authority means to serve as a gateway to delegate (forward) said 
authentication authority Web services to said authentication authority means [Fig. 1 
component 28, paragraph 0189 lines 16-17], 
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authentication client means to serve as an end-user device [Fig. 1 component 12], 
authentication handler means to serve as a doorkeeper to protect resources of business 
entities using said authentication authority Web services [Fig. 1 component 18, 
paragraph 0076 lines 2-4], 

means comprising: 

transmitting from said authentication client means to said authentication handler means 
[Fig. 1 paragraph 0088 lines 10-12], 

composing authentication requests by said authentication handler means, and 
transmitting said authentication requests from said authentication handler means to 
means selected from the group consisting of said gateway authority means and said 
authentication authority means [Fig. 1 paragraph 0088 line 12 paragraph 0082], 
processing said authentication requests by said gateway authority means, and 
redirecting said authentication requests from said gateway authority means to said 
authentication authority means [Fig. 1 paragraph 0088 lines 12, 16-17], 
generating authentication responses by said authentication authority means, and 
transmitting said authentication responses back to said authentication handler means 
[Fig. 1 paragraph 0088 lines 32-34], 

whereby a scalable and distributable system to authenticate and validate said user 
identity will be provided [paragraph 0088 28-32 paragraph 0083 lines 3-4], 
whereby the authentication system can be used as an ID verification system for said 
business entities to verify said user identity over a channel selected from the group 
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consisting of the Internet, phone and other communication means [Fig. 1 paragraph 
0013 lines 11-12]. 

Martherus teaches technology for authenticating user and user access 
requests for protected resource. Martherus doesn't expressively mention that end-user 
device generates the one-time identity codes. 

However, Guski teaches that end-user device generates the one-time 
identity codes [col. 6 lines 35-37 Fig. 3, Fig. 2]. 

Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of Guski into the 
teaching of Martherus to generate on-time identity codes. The modification would be 
obvious because one of ordinary skill in the art would be motivated to prevent 
unauthorized access to system resources by using the intercepted passwords together 
with nonsecret information as a user ID [Guski, col. 1 lines 25-28]. 

As per claim 6 . the rejection of claim 1 is incorporated and Martherus 

teaches: 

gateway authority means and said authentication authority means contain means 
comprising the use of Web services technology to be separated and placed in the 
Internet accessible environment to become said scalable and distributable system [Fig. 
1]. 
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As per claim 7 . the rejection of claim 1 is incorporated and Martherus 

teaches: 

said authentication authority means contain means comprising the use of Web services 
technology for the Internet user to register and manage said user identity, said 
authentication client means identity, said user private identity, and associated vital 
information [Fig. 1 paragraph 0084 lines 1-4, paragraph 0085 lines 1-5, paragraph 
0073 lines 1-9]. 

As per claim 8 , the rejection of claim 1 is incorporated. In addition, 
Martherus teaches the authentication authority [Fig. 1, component 34] that 
authenticates the user and to establish and/or manage identity profile [paragraph 
0085]. Martherus doesn't expressively mention that generating the one-time identity 
codes. 

However, Guski teaches that generating the one-time identity codes [col. 
6 lines 42-44 Fig. 3, Fig. 2]. 

Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of Guski into the 
teaching of Martherus to generate on-time identity codes. The modification would be 
obvious because one of ordinary skill in the art would be motivated to prevent 
unauthorized access to system resources by using the intercepted passwords together 
with nonsecret information as a user ID [Guski, col. 1 lines 25-28]. 



t 
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As per claim 10 . the rejection of claim 1 is incorporated and Martherus 

teaches: 

said authentication responses generated by said authentication authority means contain 
means comprising the use of Web services technology to inform said authentication 
handler said user identity [Fig. 1 paragraph 0088 32-34]. 

As per claim 11 . the rejection of claim 1 is incorporated. Martherus 
teaches the technology for authenticating user using Web service [Fig. 1]. Martherus 
doesn't expressively mention the synchronization codes. 

However, Guski teaches that generates synchronization codes and 
conduct synchronization [Fig. 3, col. 3 lines 28-32]. 

Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of Guski into the 
teaching of Martherus to generate on-time identity codes. The modification would be 
obvious because one of ordinary skill in the art would be motivated to prevent 
unauthorized access to system resources by using the intercepted passwords together 
with nonsecret information as a user ID [Guski, col. 1 lines 25-28]. 



As per claim 12 . the rejection of claim 11 is incorporated and Guski 

teaches: 
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said synchronization codes are arranged to be generated by math functions comprising 
hash, power and modular math operators, wherein said math functions are arranged to 
use said user identity, said authentication client identity, and said user private identity as 
the input information [Fig. 4 col. 7 lines 45-57]. 

As per claim 14 , the rejection of claim 11 is incorporated and Guski 

teaches: 

said authentication authority means and said authentication client means contain means 
to generate confirmation codes to verify the success of said synchronization [Fig. 3, 4, 6 
col. 7 lines 1-3]. 

As per claim 15 , the rejection of claim 1 is incorporated and Guski 

teaches: 

said authentication authority means and said authentication client means contain means 
to independently generate non-predictable sequence number which is an essential part 
for producing said one-time identity codes [Fig. 4, 6 col. 9 lines 1-8, 22-27]. 

As per claim 16 . the rejection of claim 15 is incorporated and it 
encompasses limitations that are similar to limitations of claim 12. Thus, it is rejected 
with the same rationale applied against claim 12 above. 
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As per claim 17 , the rejection of claims 7, 12 and 16 are incorporated and 
Martherus teaches user private identity comprises said user's biometric identity and 
other shared secret information [paragraph 0085, paragraph 0099 lines 11-12]. In 
addition, Guski teaches that user identity [col. 6 lines 29-34]. 

As per claim 18 , the rejection of claim 1 is incorporated and Martherus 

teaches: 

said authentication client means contain means comprising the use of Web services 
technology to be incorporated in a portable, hand-held device [paragraph 0013 lines 
10-12]. 

As per claim 19 . the rejection of claim 1 is incorporated and Martherus 

teaches: 

said authentication handler means is arranged to be executed on said business entities' 
computers which support the use of Web service technology [Fig. 1 component 18]. 

As per claim 20 . the rejection of claim 1 is incorporated and Martherus 

teaches: 

said authentication handler means contain means comprising the use of Web service 
technology to receive and process said user logon request, compose and submit 
authentication request to said authentication authority means, process and validate 
returned authentication response from said authentication authority means, and grant 
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permission for said user to log onto said business entities 1 computer [Fig. 1 paragraph 
0088]. 

3. Claims 2, 3, 4 and 5 are rejected under 35 USC 103 (a) for being unpatentable 
over Martherus et al (US Pub No. 2002/0112155) and in view of Guski et al (US Patent 
No. 5,592,553) and further in view of Brown et al (US Pub No. 2002/0169988, L. 
Brown). 

As per claim 2 , the rejection of claim 1 is incorporated and L. Brown 

teaches: 

gateway authority means contain means to interact with other entities of said gateway 
authority means, and publish said authentication authority Web services to Web service 
industry's registries [page 2 paragraph 0025, Fig. 1 "Service providers 11 host a 
network accessible software module. A service provider defines a service 
description for a Web service and publishes it to a service registry 13"]. 

Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of L. Brown into the 
teaching of Martherus and Guski that use Web services to publish and discover the 
information. The modification would be obvious because one of ordinary skill in the art 
would be motivated to use Web services because Web services offers the dual promise 
of simplicity and pervasiveness. Web services are based on the extensible Markup 
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Language (XML) standard data format and data exchange mechanisms, which provide 
both flexibility and platform independence [L. Brown, page 1 paragraph 0002, 0006\. 

As per claim 3 , the rejection of claim 2 is incorporated and further L. 
Brown teaches: 

gateway authority means are arranged to use Web Services Description Language 
(WSDL) to publish said authentication authority Web services, and use Universal 
Description, Discovery and Integration (UDDI) standard to discover said authentication 
authority Web services published by other said gateway authority entities [page 3 
paragraph 0032, 0034 "The logical interface and the service implementation are 
described by the Web Services Description Language (WSDL). WSDL is an XML 
vocabulary used to automate the details involved in communicating between Web 
services applications, Referring back to FIG. 1, the service can be publicized by 
being registered in a standard-format web registry 13. This registry makes it 
possible for other people or applications to find and use the service. For 
example, one can publish descriptive information, such as taxonomy, ownership, 
business name, business type and so on, via a registry that adheres to the 
Uniform Description, Discovery and Integration (UDDI) specification or into some 
other XML registry"]. 
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As per claim 4 . the rejection of claim 1 is incorporated. Martherus teaches 
the Hypertext Transport Protocol (HTTP) and Secure Socket Layer (SSL) [Fig. 1, 
paragraph 0077, 0082] and further L. Brown teaches: 

authentication authority means, said authentication handler means, and said 
authentication client means are arranged to use Simple Object Access Protocol (SOAP) 
to communicate, and use Hypertext Transport Protocol (HTTP) packets to transmit data 
over Secure Socket Layer (SSL) [page 3 paragraph 0043 "The SOAP security 
extension included with WebSphere Application Server 4.0 is intended to be a 
security architecture based on the SOAP Security specification, and on widely- 
accepted security technologies such as secure socket layer (SSL). When using 
HTTP as the transport mechanism, there are different ways to combine HTTP 
basic authentication, SSL, and SOAP signatures to handle varying needs of 
security and authentication"]. 

As per claim 5 . the rejection of claim 4 is incorporated and further L. 
Brown teaches: 

Data contains means to be transmitted by using File Transport Protocol (FTP) and 
Simple Mail Transport Protocol (SMTP) [page 3 paragraph 0031 "it is possible to 
send SOAP messages over IBM MQSeries®, FTP or even as mail messages"]. 
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Response to Argument 
4. Applicant's arguments filed December 16, 2005 have been fully considered but 
they are not persuasive. 

Applicant argues that: 

Martherus's Access System does not function as an authentication authority as 
described in Claim 1 . Claims 6, 7, 20 are unobvious over the referenced prior art. 

Examiner maintains that: 
As per claim 1 , Martherus teaches the authentication authority means to serve as Web 
services powerhouse to authenticate the user identity [Fig. 1, component 34 "Access 
Server 34 provides authentication, authorization, and auditing (logging) services. 
It further provides for identity profiles to be used across multiple domains and 
Web Servers from a single web-based authentication (sign-on). Web Gate 28 acts 
as an interface between Web Server 18 and Access Server 34. Web Gate 28 
intercepts requests from users for resources 22 and 24, and authorizes them via 
Access Server 34. Access Server 34 is able to provide centralized authentication, 
authorization, and auditing services for resources hosted on or available to Web 
Server 18 and other Web Servers" paragraph 0083, lines 3-13, "Web Server 18 is a 
standard Web Server known in the art and provides an end user with access to 
various resources via Internet 16" Fig. 1 paragraph 0075 lines 1-3, "Directory 
Server 36 is in communication with User Manager 38, Access Manager 40, System 
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Console 42, and Access Server 34. Access Manager 40 is also in communication 
with Access Server 34" paragraph 0081 lines 6-10, "Directory Server 36 is an 
LDAP Directory Server and communicates with other servers/modules using 
LDAP over SSL. In other embodiments, Directory Server 36 can implement other 
protocols or can be other types of data repositories" paragraph 0082 lines 4-8]. 
Thus, Martherus teaches the Access System as described in Claim 1 . 
As per claim 6, Martherus teaches the gateway authority means (Fig. 1 component 28 
"Web gate") and the authentication authority means (Fig. 1 component 34 "Access 
Server") comprising the use of Web services technology to be separated and placed in 
the Internet accessible environment to become said scalable and distributable system 
[Fig. 1, paragraph 0080 "FIG. 1 shows Web Server 18 including Web Gate 28, 
which is a software module. In one embodiment, Web Gate 28 is a plug-in to Web 
Server 18. Web Gate 28 communicates with Access Server 34", paragraph 0082 
lines 1-3]. Thus, Martherus teaches the claimed limitation. 

Martherus teaches the amended claim 7 (claim 7 is currently amended by applicant to 
include "for the Internet user" for clarity, page 18) as "the authentication authority means 
contain means comprising the use of Web services technology to register and manage 
the user identity...." [Fig. 1, "FIG. 1 depicts an Access System which provides 
identity management and access management for a network. In general, an 
Access System manages access to resources available to a network. The identity 
management portion of the Access System (hereinafter "the Identity Management 
System") manages end user identity profiles, while the access management 
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portion of the Access System (hereinafter "the Access Management System") 
provides security for resources across one or more web servers paragraph" 
paragraph 0073 lines 1-9, paragraph 0083 lines 1-7 "The Access Management 
System includes Access Server 34, Web Gate 28, Web Gate 30 (if enabled), and 
Access Manager 40. Access Server 34 provides authentication, authorization, and 
auditing (logging) services. It further provides for identity profiles to be used 
across multiple domains and Web Servers from a single web-based 
authentication (sign-on)" paragraph 0085 lines 3-10]. Thus, Martherus teaches the 
claimed limitation. 

As per claim 20, Martherus teaches that the authentication handler means [Fig. 1 "Web 
server"] contain means comprising the use of Web services technology to receive and 
process said user logon request [Fig. 1, paragraph 0088 lines 9-12 "An end user 
enters a URL or an identification of a requested resource residing in a protected 
policy domain. The user's browser sends the URL as part of an HTTP request to 
Web Server 18"], compose and submit authority means, process and validate returned 
authentication response from said authentication authority means (Fig. 1 "Access 
Server") [Fig. 1, paragraph 0088 lines 15-19 "The received log-on information is 
then passed back to Web Server 18 and on to Web Gate 28. Web Gate 28 in turn 
makes an authentication request to Access Server 34, which determines whether 
the user's supplied log-on information is authentic or not"], and grant permission 
for said user to log onto said business entities' computer [Fig. 1 paragraph 0088 lines 
33-34]. Therefor, the rejection to claim 20 is proper and is maintained. 
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Applicant argues that: 

The combination of Martherus and Guski's teaching will produce a system that is 
inoperative for authenticating a user with time identity codes (i.e. one-time identity 
codes) as describe in claim 1 . Therefore, it would not have been obvious to a person of 
ordinary skill in the art at the time the invention was made to incorporate the reaching of 
Guski into the teaching of Martherus to generate the one-time identity codes. The 
referenced art (Guski) does not contain any suggestion that the computation of the 
confirmation code could meet the requirement as described in claim 14. The referenced 
art (Guski) does not contain any suggestion that the computation of the one-time 
identity code could meet the requirement as described in claim 15. 

Examiner maintains that: 

Martherus teaches technology for authenticating user (utilize log on information e.g. 
password, identity code) for a plurality of domains in a network based system 
[paragraph 0011 lines 2-3, Fig. 1] and providing security for resources across one or 
more web servers [paragraph 0073 lines 7-9]. Guski teaches the system for 
authenticating a user to an authenticating node by a communication channel, using one- 
time passwords [col. 1 lines 11-14, Fig. 1, 3]. Therefor, it would have been obvious to 
a person of ordinary skill in the art at the time the invention was made to incorporate the 
reaching of Guski into the teaching of Martherus to generate/utilize the one-time 
passwords (i.e. one-time identity codes) for gaining access to the resources. The 
modification would be obvious because one of ordinary skill in the art would be 
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motivated to prevent the unauthorized access to resources [Guski, col. 1 lines 25-28]. 
Furthermore, the examiner recognizes that obviousness can only be established by 
combining or modifying the teaching of the prior art to produce the claimed invention 
where there is some teaching, suggestion, or motivation to do so found either in the 
references themselves or in the knowledge generally available to on of ordinary skill in 
the art. See In re Fine, 837 F. 2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988) and In re 
Jones, 958 F.2d 347, 21 USPQ 2 nd 1941 (Fed. Cir 1992). In this case, the combination 
of Martherus and Guski teach the claimed subject matter and the combination is 
sufficient. 

For the above reasons, it is believed that the rejections should be sustained. 
As per claim 14, Guski teaches the authentication authority means and the 
authentication client means contain means to generate confirmation codes to verify the 
success of said synchronization [Fig. 3, 4, 6 col. 6 lines 61-65 "password evaluator 
312 uses these quantities to regenerate the original time/date 308, which is 
compared with the reference time date 316(i.e. synchronization)" col. 7 lines 1-3 
"the password evaluator sends a message (i.e. confirmation codes) 322 to the 
requesting node 102"]. Thus, Guski teaches the claimed limitation. 
As per claim 15, Guski teaches that the authentication authority means and the 
authentication client means contain means to independently generate no-predictable 
sequence number which is an essential part for producing the one-time identity codes 
[Fig. 4, 6 col. 9 lines 1-8, 22-27 "the AP values (as well as the values of the 
corresponding passwords PW) for successive time values T are highly random in 
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appearance; to a person without the key K, knowledge of the AP or password 
value for one time period provides no useful information about the value for 
another time period, even if it is the very next period", col. 7 lines 45-49 "FIGS. 4 
and 5 show the procedure used by the password generator 300 (FIG. 3) to 
generate a one-time password 310 (i.e. one-time identity code) as a function of a 
secret quantity (the host signon key 306)(i.e. non-predictable sequence number), 
nonsecret information 302 and 304 identifying the user and the host application, 
and time/date information 308"]. Therefor, the rejection to claim 15 is proper and is 
maintained. 

Applicant argues that: 

The combination of Martherus, Guski and L. Brown's teaching will not produce a system 
that is operative for authenticating a user with on-time identity codes". 

Examiner maintains that: 

Martherus teaches technology for authenticating user (utilize log on information e.g. 
password, identity code) for a plurality of domains in a network based system 
[paragraph 0011 lines 2-3, Fig. 1] and providing security for resources across one or 
more web servers [paragraph 0073 lines 7-9]. Further, Martherus teaches the Web 
services technology [Fig. 1, Web server, Internet, URL, various protocols (LDAP, 
FTP, HTTP, TCP/IP), programs (e.g. Java, C++, EJB)]. Guski teaches the system for 
authenticating a user to an authenticating node by a communication channel, using one- 
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time passwords [col. 1 lines 11-14, Fig. 1, 3]. L. Brown teaches the Web service 
technology [Fig. 6], which utilizes to publish the Web services [paragraph 0025, line 4- 
6]. In this case, the combination of Martherus, Guski and L. Brown teach the claimed 
subject matter and the combination is sufficient. 

For the above reasons, it is believed that the rejections should be sustained. 



Application/Control Number: 10/082,982 Page 19 

Art Unit: 2135 

Conclusion 

5. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is 
not mailed until after the end of the THREE-MONTH shortened statutory period, then 
the shortened statutory period will expire on the date the advisory action is mailed, and 
any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for reply expire 
later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Nirav Patel whose telephone number is 571-272- 
5936. The examiner can normally be reached on 8 am - 4:30 pm (M-F). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on 571-272-3859. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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